Linking the Economics of Cyber Security and
Corporate Reputation
Ben Brooker, Jonathan Crawford, and Barry M. Horowitz
Abstract This paper deals with two aspects of breach reporting laws. The relationship between reports
resulting in media attention and the corresponding impact that can have on corporations’ investment
strategies for cyber security is explored. We use openly available financial data and news articles that
publicize cyber breaches to derive estimates for how different companies might use the part of their cyber
investment to protect their reputation. The second analysis develops elements of a framework for
evaluating the effectiveness of cyber security breach reporting laws. We addresses two important questions
in the assessment of breach reporting legislation: 1) How does the rate of reporting security breaches
across states compare with the rate of reporting of security threats to computer operating systems?, and 2)
What factors other than the implementation of breach reporting legislation effect the rate of reporting
security breaches across states?
KEY WORDS: Cyber security; reputation; economics; security breach
JEL Classifications: C51, C82, K23, L51
B. Brooker
University of Virginia, Charlottesville, VA, USA
e-mail: bjb2v@virginia.edu
J. Crawford
University of Virginia, Charlottesville, VA, USA
e-mail: jac2bp@virginia.edu
B. Horowitz
University of Virginia, Charlottesville, VA, USA
e-mail: bh8e@virginia.edu
1 Reverse Engineering
Engineering professionals frequently use top-down analytical approaches in the solving of
problems. The attractive property of top-down functional development – optimized efficiency – is also its
weakness. It requires the engineer to make important modeling choices early in the analysis process, when
they have minimal knowledge (Valckenaers 2003). Reverse engineering is the process of analyzing a
subject system to identify the system’s components and their interrelationships and create representations
of the system in another form or at a higher level of abstraction (Chikofsky 1990). Reverse engineering in
and of itself does not involve changing the subject system or creating a new system based on the reverseengineered subject system. It is a process of examination, not a process of change or replication
(Chikofsky 1990). In this paper we use the reverse engineering methodology by using openly available
data to take the actual decisions of companies and use an analytical model to uncover the implied values of
the decision makers. This method can be used to provide decision makers an opportunity to reconsider
their own decisions and also evaluate the values of competitors.
One specific example of how reverse engineering could be used in cyber security investment
decision analysis is in finding the pareto-optimal solution for investment in cyber security for reputation
versus other investment uses of corporate profits. One is at a disadvantage when using a top-down
analytical methodology to guide cyber security investment decisions because there is little data available
about frequency of attacks and consequences and the process requires an understanding of the values of the
decision makers, which is extremely difficult without insider information. However, one can use reverse
engineering to analyze the actions of company decisions makers, which are openly visible to the public, to
infer their implied values, assuming that their actions are rational and consistent with their industry. This
paper uses reverse engineering to quantitatively evaluate the relationship between cyber security
investments and reputation effects, using available data on attacks, corporate economic factors and cyber
investments.
2 Background
A wide variety of cyber-based crime opportunities have resulted in an evolution of various types
of cyber attacks that are being used to cause other business problems that ultimately results in economic
losses to individual business and the national economy as a whole (Andrijcic 2006). Certain classes of
attacks can result in lasting consequences, such as loss of reputation, loss of intellectual property, legal
liability, or long, substantial Internet infrastructure outages (Andrijcic 2006). Our historical efforts have
focused on this set of attacks, as they are likely to result in larger economic impacts.
Even with the introduction of these new forms of risk, efficient cyber security budgeting within
companies and government agencies is not assured. The inefficient allocation of cyber security dollars can
be attributed to three facts: 1) Regulatory legislation on cyber security is relatively new, vague, and yet to
be proven effective, 2) There is yet to be a large-scale catalytic event that has demanded greater attention
and concern for cyber security, and 3) There still exists a knowledge gap between executive business
decision makers and IT decision makers in corporations. This paper focuses on how companies correlate
cyber security and risk to their reputation, and the range of short-term effects of regulatory legislation on
cyber security trends.
The publication in a newspaper of a security breach could damage the reputation of companies,
leading to corresponding losses of revenues. Management of the risk of a cyber security breach includes
companies investing to minimize the probability of being highlighted in news articles related to a
successful cyber attack. Prior to 2003, there was no federal government legislation in place that required a
company to report a disclosure of private information (Hasan 2006). The federal government has since
passed laws such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act,
and the Sarbanes-Oxley Act. While these Acts do not create specific cyber breach notification
requirements, they did give the authority to create such requirements (Wendlandt 2004). Only recently
have states begun to pass breach notification laws, which can essentially be attributed to two main events.
First, in July of 2003 California became the first state to enact legislation that required companies operating
within the state to report any compromise of private information to affected parties (NCSL 2007). The
second event, the ChoicePoint incident in February of 2005, showed that the impacts of cyber security
breaches can be large, and impact a significant number of people. The company announced that it had
unwittingly sold the personal information of at least 145,000 Americans to identity thieves in 2004
2
(Waldermeir 2006). Because of this incident, ChoicePoint has incurred significant financial losses from
legal and professional fees, victim notification costs, heightened cyber security investments, and damaged
reputation (Waldermeir 2006). As a result states began enacting security breach notification legislation,
and currently 34 states have some form of law in place (Hasan 2006). The changes in breach reporting
requirements offer an important bi-product: visibility to the press. Given that the press has interest in
reporting on cyber breaches, this will inherently give visibility to the public. The question we face now is
how companies will invest in cyber security given its impact on their reputation and corresponding impacts
on their revenues and profits.
The analyses and results presented in this paper have two principal objectives: 1) We would like to
be able to understand how reporting laws could effect companies’ actions with regard to cyber security
investments, and 2) We look to understand the differences between various industries regarding how they
relate cyber security investments and protecting their reputation. This paper also poses two important
questions with respect to the assessment of breach reporting legislation: 1) How does the rate of reporting
security breaches across states compare with the rate of reporting of security threats to computer operating
systems?, and 2) What factors other than the implementation of breach reporting legislation affect the rate
of reporting security breaches across states?
We have developed an analytical method for using readily available information and monetarily
quantifying the risk to reputation that a publicized security breach presents to one industry versus another.
Along with this method, we have also developed a methodology that can be applied in future analyses to
evaluate the effectiveness of breach reporting legislation and can assist in pinpointing legislative
weaknesses across states. Understanding industry-to-industry variations in cyber risk assessment, the
differences in breach reporting laws across states, and the factors that contribute to varying rates of breach
reporting across industries allows one to recognize the relative impact of tighter reporting legislation across
the various sectors of our economy.
3 Methodology
3.1 Reputation Model
This section presents the model used to quantify a company’s perceived risk to reputation loss due
to the publication of a news article revealing a security breach. Company financial data are used to
estimate model parameters and calculate model outputs for companies in the financial, retail, and
manufacturing industries. The reputation model illustrates how one industry perceives cyber security
effects its reputation compared to another industry. This is accomplished by deriving an equation for how
much of each company’s overall cyber investment might be logically allocated toward reputation, and then
calculating the ratio of the allocation percentages. The allocation related to reputation is inferred from an
expected value calculation that includes the likelihood of having an attack reported in the press. The
variables used for this model are summarized below:
β = Probability of a company being the victim of a successful cyber attack resulting in a news article within
a one year time period, assuming that the company does not specifically focus on its reputation as a reason
for additional cyber security investment
α = Probability of a company being the victim of a successful cyber attack resulting in a news article,
assuming that the company makes an additional cyber security investment that is focused on protecting
company reputation
P = Profit at risk due to the public visibility of a security breach
V = Revenue at risk due to the public visibility of a security breach
PM = Profit margin of the company
C = Total annual company investment for cyber security
K1 = Percent of overall cyber security spending allocated towards protecting reputation
K2 = Percent of expected financial loss due to a reputation-impacting cyber attack that a company invests to
avoid exposure via a news article
Industries i and j, noted in the following equations represent different U.S. industries (e.g., manufacturing,
banking) where i ≠ j.
3
In addition, there are a number of assumptions used for the model. The list of assumptions is as
follows:
1) β is the current observed annual probability of a security breach being publicized. We assume all
companies within a specific sector of the economy have the same potential for being the recipient of a
security breach publication
2) The added reputation focused cyber security investment is made in the hope that no publicized security
breaches will occur, or that the probability of a publicized cyber attack will be reduced to nearly zero (α=0).
3) The value of K2, the percentage of the expected reputation-driven financial loss a company is willing to
pay for its reputation-based cyber protection, is the same from one company to another (i.e., we treat this in
a manner similar to insurance, where rates are risk-based, and the same from one buyer to the next when
the risks are the same).
Using these assumptions, the following results are derived:
i * Pi  K1i * Ci  i * Pi
(1)
In Equation (1) we assume that the added cyber investment made towards protecting reputation must be
less than or equal to the expected value of the potential revenue at risk. We also assume that the reputation
focused cyber security investment is made in the hope that no publicized security breaches will occur, so
that the probability of a publicized cyber attack (αi) will reduce to zero, resulting in Equation (2).
i * Pi  K1i * Ci
(2)
We then multiply the left side of the equation by K2i to account for the percentage of expected loss that a
company is willing to spend in order to reduce risk. Accordingly, the inequality becomes an equality and
we get Equation (3).
K 2i * i * Pi  K1i * Ci (3)
Next, we divide both sides of the equation by PMi. Dividing the profit at risk, Pi, by the profit margin, PMi,
results in the revenue at risk, Vi, as shown in Equation (4).
K 2i * i * Pi
K * Ci
 1i
PM i
PM i
K 2i *  i * Vi 
K1i * Ci
(4)
PM i
We then bring the variables Ci and PMi to the left side of the equation so that we may isolate K1i. In
addition, we adjust the equation for easier reading, resulting in Equation (5).
K1i 
K 2i *  i * PM i * Vi
(5)
Ci
We can now use Equation (5) to compare industry i to industry j, where i ≠ j. This comparison is shown in
Equation (6).
K1i i PM i C j K 2i Vi

*
* *
*
(6)
K1 j  j PM j Ci K 2 j V j
As indicated above, we assume that the value of K2 is the same from one company to another, so the K2
ratio become equal to “one”, resulting in Equation (7).
K1i i PM i C j Vi

*
* *
(7)
K1 j  j PM j Ci V j
4
We then collect data for applying Equation (7) to provide an evaluation of the relative emphasis different
sectors of the economy should logically place on reputation as related to cyber security.
3.2 Framework for Law Evaluation
Here we introduce elements of a framework that can be used in the assessment of the effectiveness
of cyber security breach reporting legislation. The framework consists of two main analyses: 1) A
correlation analysis to uncover any factors that may attribute to the rate of breach reporting across states,
and 2) A rate comparison analysis that compares the rates of breach reporting to the rate of software
companies developing various operating system security patches (in response to identified exploitation
possibilities). The results of the analyses are then given multiple interpretations, and conclusions are
drawn.
Before going into further detail about the analyses conducted, a number of terms must be defined.
First, a breach is defined to be an event in which computerized personal information was, or is reasonably
believed to have been, acquired by an unauthorized person. It does not include denial of service or other
attacks that do not satisfy the definition. A publicized breach is a breach that is made public by reporting to
consumer reporting agencies, law enforcement, the media, or directly to the individuals affected. Personal
information is defined as the first name or initial and last name of an individual, with one or more of the
following: 1) Social Security Number, 2) driver’s license number, 3) credit card or debit card number, or
4) a financial account number with information such as PINs, passwords or authorization codes that could
gain access to the account (Proskauer 2007). In the context of this paper, a breach reporting law is defined
as a state law that requires handlers of personal information to notify all affected parties in the event of a
breach that compromises the parties’ personal information. Finally, in the rate comparison analysis, the
term threat is used rather than vulnerability when describing security patches. The assumption is made that
only critical or high level vulnerabilities are true threats that can lead to a breach of security for companies
and government agencies, so they are the only patches included in the counts.
This framework for effectiveness evaluation offers three important views of the current state of
cyber security breach reporting. First, a simple state-by-state count of publicized security breaches is made
to offer a very general, macro view of breach reporting. Next, the correlation analysis aims to identify any
factors that may contribute to different rates of reporting across states. The number of publicized breaches
is compared to factors such as the existence of a law in a state, the population of a state, the number of
businesses in a state, and the size of newspaper distributions in a state. Finally, the rate comparison
analysis offers a view of how breach reporting and corporate responsibility compare to the hacking threat
posed to the most used operating systems. If there are major disparities in rates, hypotheses can be made
about how companies are acting with respect to the actual level of risk in their cyber security systems.
3.3 Data
The company data to develop results for the cyber risk analysis were collected from various
sources. Morningstar and Yahoo Finance were used to collect data on revenue and profit margin for
companies (Vi, PMi). Overall cyber security spending for each company (Ci) was approximated using data
from Forrester Research, a research institution that focuses on technology trends (Kark 2006, Bartels 2006).
The 2006 IT spending forecasts as percentages of revenue, available from Forrester publications, were
multiplied by the 2006 IT security spending forecasts, also available from Forrester publications, as a
percentage of IT spending. The resulting percentages were used as estimates of cyber security spending as
a fraction of company revenue and the industry in which the company resides.
In order to estimate the likelihood of a successful cyber attack, we dealt with companies with
5,000 or more employees as the set of companies of interest. The probability of a company with greater
than 5,000 employees having a published security breach in a one year period was calculated by dividing
the total number of companies in each industry with at least one newspaper article published in a one year
span by the total number of companies in that industry. The number of security breach articles was
acquired for October 1, 2005 to September 30, 2006, from the article databases
PrivacyRightsClearingHouse.org and Attrition.org. The total number of companies in the U.S. with over
5
5,000 employees, on a sector by sector basis, was taken from the U.S. Census Bureau. We define a sector
to be a subset of an industry (i.e., one company can be in multiple sectors). Because our industry
definitions for news articles differed slightly from the Census Bureau’s for sectors, we depended on sector
counts rather than entire industry counts. In some cases, the Census Bureau would specify industry
company counts for companies with over 5,000 employees, but only specified sector company counts for
companies with greater than 1,000 employees. To account for this difference, we calculated the proportion
of companies with over 1,000 employees in an industry that were from a given sector by dividing the
number of companies with over 1,000 employees in the sector by the number of companies with over 1,000
employees in the industry (see Equation (8)). Given only the number of companies with over 5,000
employees in an industry, we assumed that the sector proportion remained constant and multiplied the
percentage by the industry count to get the number of companies with over 5,000 employees in a sector
(see Equation (9)).
Ei 
# Companies in Sectori ( 1K Employees)
(8)
# Companies in Industry F ( 1K Employees)
# C in Sectori ( 5K Employees)  Ei *#C in IndustryF ( 5K Employees) (9)
With respect to the framework analyses, additional data pertinent to cyber security breach
reporting legislation had to be collected and the accessibility and availability of data had to be determined.
As there is no central, federal or state-sponsored database of reported security breaches, the third-party
reporting sites used for the cyber risk analyses, PrivacyRightsClearinghouse.org and Attrition.org, had to be
used to gain an estimate of the true rate of breach reporting across states. To conduct the correlation
analysis, state statistics and information were taken from the Census Bureau. Finally, to conduct the rate
comparison analysis, the vulnerability patch rates of various operating systems were taken from the
National Vulnerability Database.
4 Reputation Analysis Results
The reputation analysis results are presented in three ways: 1) Reputation-based financial loss due
to a news article, independent of the details of the breach, 2) Reputation-based financial loss due to a news
article when the breach being reported only impacts customers for the company’s products and 3)
Reputation-based financial loss due to a news article when the breach being reported only impacts company
employees and supply chain partners. The first representation assumes that all published articles
mentioning a security breach will have a negative effect on reputation, regardless of the consequences of
the breach or the effected parties of the breach. The second representation assumes that only articles
mentioning security breaches that effect customers of the company’s products will have a negative effect
on reputation. The third representation assumes that only articles mentioning security breaches that effect
supply chain partners, partner companies, and employees effect reputation negatively.
The results for each representation are presented in graphs in Figures 1, 4 and 5. The ‘betas’ are
estimates of the β’s in Equations (1) through (7), the probability of a company being the victim of a
successful cyber attack resulting in a news article in a one year time period, assuming no added investment
allocated for reputation effects.
6
Fig. 1. This graph shows that the finance industry’s β is much larger than that of the retail and
manufacturing industries. This means that, according to available data, companies in the finance industry
have a significantly higher probability of having a publicized security breach than companies in the retail
and manufacturing industries.
After the β’s were calculated, they were used in the calculation of the K1 ratios. Three industry
comparisons were made: finance versus retail, finance versus manufacturing, and manufacturing versus
retail. A comparison of industry i versus industry j was made by dividing K1i by K1j, as shown in Equation
(7) and assuming that the ratio of revenues at risk is one. The results of the K1 ratios are presented in
Figure 2.
Fig. 2. This graph shows the K1 ratios calculated using β values of the industries. For simplicity, the V
ratios are assumed to be equal to one. To account for the lack of data available for the manufacturing
industry in the customer analysis (i.e., no security breaches impacting customers were published for the
industry), we combined the retail and manufacturing industries, calculated a β, and calculated the K1 ratio
for the finance industry versus the combination of the two industries.
For the sake of simplicity, the V ratios are set to one in Figure 2. Below in Figure 3, the V ratios
act as the independent variable and the K1 ratios are computing for different levels of V ratios. It is likely
that the K1 ratios and V ratios are positively correlated, meaning that a high K1 ratio will be accompanied by
a V ratio greater than one. Therefore, it could be assumed that the high K1 ratios presented in the coming
sections are in actuality greater, translating to an even greater bias in reputation-based cyber investment.
K1 Ratios with V Ratio as Independent Variable
70
60
Unbiased - FvsR
Unbiased - FvsM
Unbiased - MvsR
Customer - FvsR
Customer - FvsRM
SupplyC - FvsR
SupplyC - FvsM
SupplyC - MvsR
K1 Ratio
50
40
30
20
10
0
0
1
2
3
4
5
V Ratio
Fig. 3. This graph shows the K1 ratios calculated with the V ratios as the independent variable.
4.1 Results - Unbiased Reader
In the analysis of the reputation-based financial loss due to a news article, independent of the
details of the breach, the finance industry has a significantly larger β (.0648) compared to the retail (.0111)
and manufacturing (.0110) industries (Figure 1). The greater likelihood of having a publicized security
breach has an impact on the K1 ratio results. As shown in Figure 2, the finance industry investment profile
derived from Forrester data infers that a greater percentage of its cyber budget would logically be allocated
to protect against the negative reputation effects of a publicized security breach than for the other two
7
sectors. More specifically, it appears that the finance industry should allocate 6.72 and 3.37 times more of
its cyber budget toward reputation impacts than the retail and manufacturing industries, respectively. We
may also infer that manufacturers should be more concerned with reputation effects of publicized security
breaches than retailers, allocating twice as much of their cyber budget to protect their reputation.
4.2 Results – Customers
In this analysis, the finance industry’s β again dominated the other industries due to the higher
volume of publicized cyber security breaches. A complication arises as the manufacturing industry does
not experience a publicized security breach during the one year period. To account for this, we combine
the data for the retail and manufacturing industries so that a comparison can be made. The finance industry
has the highest β of .0605, compared to the retail industry’s value of .0093 and the manufacturing/retail
industry’s value of .0043 (Figure 4).
The results of the K1 ratio calculations are similar to those of the unbiased reader analysis. As
shown in Figure 1, the finance industry should invest a greater percentage of its cyber budget to protect
against the negative reputation effects of a publicized security breach when the breach being reported only
impacts customers for the company’s products. More specifically, the finance industry should invest 7.52
times more than the retail industry. When the data are combined, we find that the finance industry should
invest 11.01 times more than the retail and manufacturing industries combined.
Fig. 4. This graph shows that, according to available data, the finance industry has a greater likelihood of
having a publicized security breach that would influence customers. Manufacturing and retail have a
combined β because, during the one year span, the manufacturing industry did not experience a publicized
security breach that effected customers.
4.3 Results – Supply Chain
We see far different results in this analysis, as the manufacturing industry has a larger β value
(.0110) than the finance (.0086) and retail (.0019) industries (Figure 5). This change in the likelihood of
having a publicized breach for each industry gave a completely different view of reputation concerns. As
shown in Figure 1, the manufacturing industry allocates 11.95 times more of its overall cyber security
budget than the retail industry does toward reputation protection in its supply chain. Because the K1 ratio
for finance versus manufacturing is less than one, it can be inverted to reveal that manufacturers will be
willing to allocate twice as much of its budgets as financial institutions to protect against reputation-based
loss. These results are reasonable – manufacturers, who depend greatly on supply chain partners and
whose customers are often other companies, are willing to invest more to protect their reputation with their
partner companies and employees.
8
Fig. 5. This graph shows that, according to available data, the finance and manufacturing industries have a
greater likelihood of having a publicized security breach that would influence supply chain partners,
business partners, or employees.
5 Framework Results
5.1 Breach Count Analysis
The analysis begins with a simple count of the number of breaches reported in 2005 and 2006. In
2005 there were a total of 143 reported cyber security breaches in the United States, and 46% of states had
some form of cyber security breach reporting legislation. As shown in Table 1 and Figure 6, nearly half of
the publicized breaches involved colleges and universities, with financial institutions, state agencies,
federal agencies, and medical institutions also having high counts. When a state-by-state view is taken of
the breach counts, California dominated other states with approximately 23% of the total breaches reported
(see Table 2). Along with California, Ohio, Georgia, New York, Colorado, Texas, North Carolina,
Michigan, Iowa, Massachusetts, and Washington D.C. accounted for 70% of the total breaches reported.
Out of the 143 reported security breaches, 72% were reported in states that had enacted cyber security
breach reporting legislation.
Table 1
2005 Cyber Security Breach Count by Industry
.
9
Table 2
2005 Cyber Security Breach Statistics by State
.
The next year in 2006, there were a total of 319 reported cyber security breaches, an increase of
123% from 2005, and 60% of states had enacted some form of legislation. As shown in Table 3 and Figure
7, colleges and universities still saw the greatest percentage of publicized breaches; however, the growth
rate of reported breaches in state agencies, federal agencies, financial institutions, and medical institutions
was greater than that of colleges and universities. When a state-by-state view is taken of the breach counts,
California breaches accounted for the greatest percentage of any state with 13.5% of the total publicized
breaches (see Table 4). The reported breaches were more evenly spread out among states in 2006, with the
top 11 states only accounting for 60% of total breaches. North Carolina, Iowa, Michigan, and
Massachusetts dropped out of the top ten, and Virginia, Washington, Florida, and Illinois entered with
significant increases from the prior year.
10
Table 3
2006 Cyber Security Breach Count by Industry
.
Table 4
2006 Cyber Security Breach Statistics by State
.
11
Across the fifty states and the District of Columbia, 41 states saw an increase in the number of
publicized security breaches from 2005 to 2006, six states saw no change in the number of breaches, and
only Georgia, Nevada, Hawaii, and Missouri saw a decrease. There were 23 states that had legislation in
place prior to 2006, and 19 of them saw an increase in the number of reported cyber breaches from 2005 to
2006. Eight states enacted breach reporting legislation in 2006, and the total number of reports among
them doubled from 2005 to 2006. Of the eight states, all saw an increase in breach reports with the
exception of Idaho, which remained at one breach. The 20 states, and the District of Columbia, which had
no breach reporting laws in place prior to 2007, saw the greatest percentage increase. Fifteen of the states
saw an increase in reports from 2005 to 2006, and the total number of reports among them increased nearly
300%.
For the purposes of this paper, disclosures of personal information can be divided into two
categories: 1) Disclosures involving breaches of data by hackers outside of the organization, and 2)
Disclosures involving breaches of data by insiders, lost computers and hardware, and stolen computers and
hardware. In 2005, only 34% of reported breaches were of the first category, and of those reported
breaches, 80% were reported by colleges and universities (see Table 5). An increase in the number of
hacker reports was seen in 2006, but the number of hacker reports as a percentage of the total number of
cyber reports decreased to just below 19% (see Table 6). This is potentially a positive finding, as a rise in
the effectiveness of cyber security applications could be attributing to the slower rate of increase of reports.
However, this could also be discouraging if the slower rate is due to company’s withholding information on
hacker attacks.
Table 5
2005 Outside Hacker Breach Report Count by Industry
.
Table 6
2006 Outside Hacker Breach Report Count by Industry
.
Before any assumptions can be made, an analysis must be conducted to uncover any factors that
may contribute to a state’s level of cyber security breach reports. For example, one would not want to
automatically assume that California has more cyber security breach problems than Iowa because it has
eleven times as many reported breaches. There are other factors, such as state population, the number of
businesses within a state, and state newspaper distribution that could affect the number of breaches
reported. Next, a correlation analysis will be presented in an effort to uncover these factors.
5.2 Correlation Analysis
To conduct the correlation analysis, a number of state statistics were taken from the Census
Bureau. Other quantitative and qualitative variables could be used in future analyses, but the variables used
12
in this paper are state population, state median income, state newspaper distribution, total number of firms
within a state, and the existence of a breach reporting law within a state. Factors were considered strongly
correlated when the correlation was greater than or equal to 0.80.
The results of the correlation analyses for 2005 and 2006 are given in Table 7. In 2005, there were
strong correlations between state population and the number of reported breaches (0.82), and the number of
firms and the number of reported breaches (0.83). This is not surprising, as it seems logical that a greater
population would lend to a greater number of businesses, which would lend to a more opportunities to
experience a cyber breach. The existence of a breach reporting law did not have a significant correlation
(0.31) with the number of breaches.
Table 7
Correlation Analysis Results
.
In 2006, there was an even greater correlation between state population and the number of
reported breaches (0.86), and the number of firms within a state and the number of reported breaches
(0.87). Also, there was a significant correlation between the number of newspapers in circulation and the
number of reported breaches (0.85). This is a logical finding, as one would assume that state population
would be positively correlated to the number of newspapers in distribution. As in 2005, there was low
correlation between the existence of a breach reporting law and the number of reported breaches in a state
(0.21).
To take a closer look at the lack of correlation between the existence of a breach reporting law and
the number of reported breaches in a state, the details of individual laws had to be examined. One factor
that could be an important disparity between laws is the requirement of a company to notify a consumer
reporting agency when a breach of security occurs, rather than just the affected parties. However, when
analyzed, no correlation was found between requiring notification to consumer reporting agencies and the
number of reported breaches in a state (0.21). In fact, only 36% of the total attacks reported were from
states that required a consumer reporting agency notification. This does not, however, indicate that the
requirement of a company or government agency to report to a central body is of no value. This
requirement would at least offer more visibility to the public and more accessibility of data to researchers,
specifically if a public database of reported breaches was created.
Thus far, we have shown how simple correlation analyses can be used to make inferences about
the effectiveness of breach reporting laws. We have not, however, developed a framework to evaluate the
performance of companies with respect to state breach reporting laws. The next section details how cyber
security breach reporting rates and operating system vulnerability patch rates can be analyzed to infer how
effective companies’ cyber security applications are at protecting their information.
5.3 Rate Comparison Analysis
To conduct this analysis, the overall count of reported cyber security breaches was taken and
divided according to industry, as seen in Tables 2 and 4. Then, because we are only analyzing threat patch
rates, we are only concerned with reports that involve breaches of security by hackers outside of the
company or government agency. Thus, we offer counts of only these breaches in Tables 5 and 6. We then
compare these rates to the rates of security threat patch rates for various operating systems predominantly
used by the given industries, which are taken from the National Vulnerability Database. The counts of
13
security threat patches were only of patches of “critical” or “high” severity, as we made the assumption that
highly severe threats would be of greatest concern to companies and government agencies.
There were two main limitations faced when collecting data for this analysis. First, because the
breach reporting laws are still in their formative years, there is limited data on outside hacker breach
reports. This means that the breach reporting rates may be subject to high uncertainty. Second, the rate of
security threat patches is not a proven, precise representation of the actual cyber threat posed to companies
and government agencies. However, there is no precise way to realize the actual level of cyber threat in a
network, and we believe that the patch data is sufficient for the developmental stages of an evaluation
framework. Due to these limitations, we will simply offer an example scenario of how this data could be
used. If one were to have access to information on the actual usage of operating systems within an
industry, they could apply the data to this framework to gain a better understanding of how industry
reporting and actual threat rates compare.
For illustrative purposes, we analyze colleges and universities. From 2005 to 2006, colleges and
universities saw outside hacker breach reports drop from 39 to 27, a decrease of 31%. If one were to
assume that educational institutions predominantly use a Microsoft operating system, we would see from
the National Vulnerability Database data that the OS saw an increase of 32% (71 to 94) in critical patches
from 2005 to 2006. Although this is not all-telling, one could make a number of inferences from this
information. One possible explanation for the difference in rates is that cyber threats are being patched in a
timelier manner across all universities and colleges, translating into better cyber protection for users of their
services. Alternatively, however, educational institutions could be withholding breach information or
reporting hacker breaches as another category of cyber breach, as reporting one may have more negative
repercussions than reporting the other.
A second, similar example can be made of the finance industry. From 2005 to 2006, financial
institutions saw a 400% increase of outside hacker breach reports from one to five. One could make the
assumption that UNIX is the predominantly used operating system in the industry, in which case we would
see no change in vulnerability patches as the National Vulnerability Database reports one patch for both
2005 and 2006. Again, this data is not all-telling, but a number of hypotheses could be formed. One
possible explanation for the rate disparities is that financial institutions are not patching in a timely manner
and multiple institutions are being affected by the same vulnerability. Another possibility is that, because
state breach reporting laws have existed for such a short period of time, companies are just beginning to
adjust to legislative compliance. Before any conclusions can be made, one must have an understanding of
what is at stake and what the rationale is for educational institutions to report or withhold information on
cyber security breaches. Over time, as more data becomes available, more substantial analyses can be
performed to gain an improved understanding of the impact of reporting laws.
6 Conclusion
The analyses we have presented are just two of many that could be conducted on openly available
data. As time goes on, the reporting laws for states will allow trend analysis as well as single year analysis.
In addition, since the reporting laws will be a primary source of information for news reporters, analyses
can be done to better understand the relationships between cyber events and reporting. Our results lend
support to the hypothesis that a financial institution has greater concern about protecting against reputationbased financial loss due to publicized security breaches than a retailer or a manufacturer. It also supports
the idea that companies that are closer to the end customers are likely to care more about negative publicity
than suppliers to those companies. More specifically, our results show that the manufacturing industry
should be more concerned over protecting against the publicizing of cyber breaches that impact employees
and supply chain partners, while the finance industry is concerned over protecting against the publicizing of
all cyber breaches, regardless of what parties are impacted. Judging from our results, government and
industry policy makers should take into account that it is very likely that different sectors of the economy
will have different responses to certain cyber policies. The findings presented above would point to the
likelihood that reporting laws would stimulate banks to increase security investments in areas such as
customer identification theft, while manufacturers might be stimulated to invest in data encryption to
reduce the likelihood of business sensitive data being stolen.
If companies are going to have concerns about their reputation, they will essentially have two
ways to deal with it. The reputation-based financial effects of a publicized security breach can be seen as a
14
function of the actual attacks, the reporting of those attacks by law, and the reporting of those attacks by the
media. More specifically, using a Bayesian probability analysis, the probability of experiencing a negative
reputation-based financial effect due to a publicized cyber breach is equivalent to the product of the
probabilities of these three factors. We assume that companies cannot control the media and, therefore, can
only reduce reputation-based financial effects by either decreasing the probability of an attack or
decreasing the probability of an attack becoming visible to the public.
Reducing the probability of an attack and the probability of an attack becoming visible can be
accomplished by increasing the level of cyber security investment made towards protecting reputationbased impacts. However, it is possible that reducing visibility will prove to be less costly to companies if
methods other than increased investment are used, such as avoiding the reporting of security breaches.
Policy makers must be wary of the potential for companies to cover up cyber security breaches instead of
making additional cyber security investments. For example, a stolen lap top with important, unprotected
information stored in its memory can be viewed as a cyber security issue or as a stolen property issue,
depending on a company’s view of consequences for reporting it as a cyber event.
From the results of the framework analysis, we will offer a number of recommendations that will
aid future research on the topic and offer more visible, accurate information for consumers and researchers.
The first recommendation for the improvement of this proposed framework is time. Because only 34 states
and the District of Columbia have some form of breach reporting legislation, and many of those laws have
been in place for less than two years, there is not enough data available to make any reliable conclusions
about reporting trends. With time, more states will enact legislation, other states will modify legislation,
companies and government agencies will adapt to breach reporting legislation compliance, and trends will
be more easily identifiable.
Second, a central database for cyber security breach reports must be created either on the state or
national level. This database would serve two main purposes: 1) It would give greater visibility to the
entire public, not just the parties directly affected by the breach, and 2) It would make data on breach
reports more accessible and more reliable. The creation of a central reporting database would also call for
more rigid language in state legislation; states would need to require that businesses and government
agencies report to their respective databases and abandon legislation that allows bodies to report at their
own discretion and only to the affected parties. While more care would need to be taken in breach
reporting compliance, these changes would make for a more accurate depiction of the effectiveness of the
laws.
Finally, we recommend that further research be conducted on the topic of cyber threat patch rates
and their relevance to the actual cyber risk posed to users. Gauging the actual level of cyber risk of
operating systems is difficult because the risk is based on the level of intent of outside hackers and the
number of undiscovered vulnerabilities, which is unknown. It would be of great value to know how a
company’s level of cyber security, as measured by actual successful attacks compares to the level of risk
implied by the patches required and patch rate for the company being evaluated, because one would then be
able to differentiate between a defect in state legislation and a lack of preparedness by a company.
It is important that policy makers understand that with the creation of cyber security breach
reporting laws, there is a newly created problem of moral hazard. More specifically, if a company
experiences a breach of security, there may be less incentive to report the breach if the actual financial
effects of the breach are minimal and the financial reputation-based effects of reporting the breach are
extensive. In addition, there may be incentive for a company to falsely report a cyber breach as an
alternative disclosure of private information. For example, a business may experience a breach of security
where an outside hacker accesses customer information; but to avoid more severe reputation-based
consequences, the company may report the incident as a lost or stolen laptop. Policy makers must have a
methodology set in place to somehow account for this moral hazard problem.
If these recommendations are adhered to, this framework for the evaluation of cyber security
breach reporting laws can be modified and improved such that a more accurate picture of the current state
of cyber security in the U.S. can be painted. Once the performance of state laws have been effectively
evaluated, policy makers can then take appropriate actions, such as conduct interviews with corporate
decision-makers or audits of companies and government agencies, to gain a more comprehensive view.
Only then can cyber security practices and legislation be accurately evaluated and effective modifications
made to give better protection to personal data.
References
15
A Chronology of Data Breaches Reported Since the ChoicePoint Incident. (2006). Privacy Rights
Clearinghouse. San Diego, California.
<http://www.privacyrights.org/ar/ChronDataBreaches.htm>.
Andrijcic, E. and B. Horowitz. (2006). A Macro-Economic Framework for Evaluation of Cyber Security
Risks Related to Protection of Intellectual Property. University of Virginia.
Attrition.org Data Loss Archive and Database (DLDOS). <http://attrition.org/dataloss>.
Bartels, Andrew. (2006, Mar. 31). US IT Spending Summary: Q4 2005 – Setting the Stage for Another
Year of Moderate 7% Growth in 2006. Forrester Research, Inc.
Chikofsky, Elliot and J. Cross. Reverse Engineering and Design Recovery: A Taxonomy. (1990).
<http://ieeexplore.ieee.org/iel1/52/1647/0043044.pdf?isnumber=&arnumber=4304>.
Client Alert: January 2007. Proskauer Rose LLP. 2007. Available: <http://www.proskauer.com>.
Hasan, Ragib and William Yurcik. (2006). A Statistical Analysis of Disclosed Storage Security Breaches.
National Center for Supercomputing Applications. University of Illinois at Urbana Champaign.
Kark, Khalid. (2006, Oct. 4). The State of Information Security Spending – Information Security Spending
Trends Downward. Forrester Research, Inc.
Kiely, M. and E. Kobe, A. MacArthur, M. Polk, E. Rains, E. Andrijcic, J. Crawford, B. Horowitz. (2006,
April, 14). Macro Economic Cyber Security Models. University of Virginia.
Morningstar. (2006). [Online]. Available: <www.morningstar.com>.
“Security Breach/Notification Legislation.” National Conference of State Legislatures. October 8, 2006.
<http://www.ncsl.org/programs/lis/cip/priv/breach.htm>.
U.S. Census Bureau. (2003). [Online]. Available: <www.census.gov>.
Valckenaers, Paul. On the Design of Emergent Systems: An Investigation of Integration and
Interoperability Issues. (2003). Engineering Applications of Artificial Intelligence, Vol 16, Iss 4.
Waldermeir, Patti. ChoicePoint fined $15M by FTC. Ft.com.
<http://www.ft.com/cms/s/b02019f4-8ea2-11da-b752-0000779e2340.html
Wendlandt, Dan. U.S. Cybersecurity Policy. (2004). Stanford University.
<http://www.stanford.edu/class/msande9siaut04/slides/cybersecurity_policy.ppt>.
Yahoo Finance. (2006). [Online]. Available: http://finance.yahoo.com/
16